Bitesize thoughts and insights on Security & Risk from the ISSA-UK
A series of 400-500 word mini-dispatches for busy CISOs. Deliberately thought-provoking opinion pieces designed to inform and stimulate debate on the hottest topics in the industry.
From the ISSA-UK research and management teams.
How Much Security is Enough?
ThoughtBite 25 October 2012
This is arguably the most difficult question that can be thrown at an information security manager, particularly when dealing with senior management and the Board. I recall several Board level negotiations that went along the lines of a CISO asking what level of losses the business was prepared to tolerate. “Zero” came the CEO’s reply. Momentarily holding back on the fact that zero breaches/losses is an impossibility, the CISO responds with: “So how much can we increase the security spend to get closer to the zero losses you desire?”. Yes, you guessed it…”zitch” came the reply.
This mismatch between senior management’s security expectations and available budget has historically dogged our profession and largely boils down to the problem of security ROI, or rather a general inability to clearly quantify it.
Security costs are both tangible and intangible. As an example of the latter I recently saw an internal spreadsheet-based classification, risk analysis and approvals form of a major organisation, for authorising the sharing of data internally. It ran to ten pages and around a hundred rows of questions, ratings and responses, plus all the approval steps and departments required for signoff. The total time and effort required to complete such a process is obviously significant – and I pass no judgement on either the necessity nor benefits of it; but merely cite as an example of a procedural risk control with significant ‘intangible’ overheads associated.
For a budget constrained and overburdened security function there is a consequent temptation, if not downright necessity, to implement lots of procedural controls around every business process to balance the lack of hard spend on security and offset some of the cost/effort as intangibles, spread across all aspects of the business in the guise of numerous forms, risk assessments and approvals. If nothing else these tortuous procedures deter or at least slow the number of incoming requests and changes the team has to deal with, but one is left feeling that the whole business is less agile and productive as a result.
So what’s the answer or opportunity here? Well, taking the above examples of lengthy procedural security controls imposed across a business, and consequent impacts on employees time and business agility; there is a case for analysing and quantifying these intangible overheads as tangible ones in terms of total employee hours and impacts on productivity. Then offset these aggregated costs against levels of improved efficiencies that could be had by substituting some additional hard spend on security. Now I’m not suggesting for a moment that all procedural security controls are superfluous, or can all be replaced by spending on technology. However there will be many situations where a ‘sweet spot’ can be identified, when it is possible to show a clear ROI that by increasing security’s hard spend on say, improved automation or data management, we can simultaneously improve levels of security and business efficiency, and also reduce the overall cost to the business.
Easy to say, harder to do. However the opportunity is there and awaits those resourceful enough to spot and exploit it.
Adrian Wright. Director of Research, ISSA-UK
ISSA UK Newsletter 
You must be logged in to post a comment.